Python for Azure: Monitor Role Base Access Control (RBAC) Limit on each Azure Subscription

Introduction: Cloud resource access management is a key role for any company that uses the cloud. Azure role-based access control (Azure RBAC) allows you to regulate who has access to Azure resources, what those resources can do, and what areas they can access.

Azure RBAC is a fine-grained access management solution for Azure resources that is built on Azure Resource Management. You give roles to users, groups, service principals, or managed identities at a certain scope to allow access. How to assign responsibilities using the Azure portal is covered in this article.

What is RBAC in Azure?

With Azure RBAC, you may limit resource access by assigning Azure roles. This is an important idea to grasp since it is how permissions are enforced.

RBAC in Azure [Source]

A role assignment is made up of three parts:

• The security principal: A user, group, service principal, or managed identity that is requesting access to Azure resources is represented by a security principle by an object. Every one of these security principles can be given a role.
• The role definition: A set of permissions is a role definition. Often, it is referred to as a role. The activities that can be carried out, such as read, write, and delete, are listed in a role definition. Roles might be general, like “owner,” or specialized, like “reader for virtual machines.”
• The scope: The scope of the access is the set of resources to which it applies. When you designate a role, you can further limit the actions that are permitted by establishing a scope. This is useful if you only want to designate someone a Website Contributor for one resource group. A scope can be specified at four levels in Azure: management group, subscription, resource group, or resource. Scopes are organized in a parent-child relationship. Roles can be assigned at any of these scope levels.

However at the scope of each subscription only 4000 role-assignments are possible, the challenge or limitation is how to monitor this critical number!

Lets say the subscription reached 3995 role-assignments and due to new feature requirement 10 new role-assignments have to be assigned, as such how to accomodate this request or what legacy role-assignments to delete is the last-minute chaos which every company would like to avoid.

This article covers the solution implementation to remediate the above stated limitation

Hands-On Implementation via Azure Portal & Python SDK for Azure

Prerequisites

• Python 3.6 or later is required to use this package
• You must have an Azure subscription to run the python code below.

Setup

• Install all the requirements Azure libraries for Python with pip:
• Clone or download this project repository: Python-for-Azure
• Open the project folder ‘azure-monitor-role_assignement’ in Visual Studio Code or your IDE of choice.
• From the root location of the project folder run the following command.

pip install -r requirements.txt

Workflow

1. In this workflow demo, I have created a Service Principal (SP) called “listrbacdetails”, and the SP has been given the ‘contributor’ role-assignment at the scope of the subscription

SP given ‘contributor’ role at the scope of subscription

Note: Remember to create the ‘client secret’ for the SP you created and take note/copy of the value of the ‘secret’ as its availale only once after its creation. Also, client ID, tenant ID and subscription ID is used in the Python script below.

SP: Certificates & Secrets

SP: “listrbacdetails”

2. The script below demonstrates the usage of Python SDK for Azure for implementing the above said workflow i.e., Monitor Role Base Access Control (RBAC) Limit on each subscription

3. Before running the script, in the terminal of the IDE do the following steps:

• Log in to your Azure account

az login --tenant <tenant_id>

• Select the correct subscription

az account set --subscription <sub_id/sub_name>

• After selecting the correct ‘Python Interpreter’ & correct ‘Configuration’ for the scope of your project like “Working Directory” etc. , run the script “monitor_role_assignment.py”
• Following is the Python run-console with the workflow logs, please observed the highlighted text below.

Python console with work-flow logs

Key Points from the Workflow:

• For the above workflow the threshold has been set to 3500 i.e., if the role-assignments at the scope of a subscription exceeds the threshold the workflow will fail and will raise a warning, example as shown below!!!

Python console with work-flow logs

• To set up the dynamic alerting mechanism to get notified when the threshold value is exceeded, please follow another article from this Python for Azure publication Alerting-Mechanism to get notified Dynamically (check the second section of this article)